Botnet Plug-X: Can't be cleaned up?

Contents

Just over a year and a half ago, the French IT security company Sekoia gained access to the command server IP of the Plug-X botnet. Tens of thousands of infected end devices reported themselves there. Sekoia went in search of disinfection options and found what it was looking for. The malware contains a disinfection routine that can be triggered with a simple command. However, the company preferred to leave this to the authorities with the appropriate rights and asked for international support. France and the USA, among others, disinfected thousands of systems. In Germany, however, things are stuck.

Sekoia's offer

Suspected Chinese attackers originally developed Plug-X as a remote access tool that they distributed via USB sticks. They then used it to steal confidential data from VW on a large scale. The malware was later expanded into a self-propagating plague, i.e. a worm that then spread uncontrollably and began to infect devices around the world. The French company shied away from becoming active on third-party systems all over the world. Instead, Sekoia developed a simple interface and launched an international appeal to government authorities worldwide to use the functions provided to remove the malware from devices under their jurisdiction.

As Sekoia describes it, they could simply use a command on the host computer to trigger a deletion process that Plug-X already provides. This means that it is not necessary to install your own software on the target computer. Alternatively, Sekoia also offers another cleaning function: in order to clean connected USB devices, a payload is loaded onto the computer that changes the directory tree of USB storage devices. Sekoia itself described this variant as "highly intrusive" and warned of legal difficulties.

FBI uses the malware's kill switch

Back in the summer of 2024, French authorities disinfected several thousand systems in France with Sekoia's help. Now the FBI has followed suit and announced a few days ago: 4,200 computers in the USA were cleaned up as part of the disinfection campaign – The simple kill command was apparently used. The request was made by an FBI employee from Philadelphia. This is legal under US law to prevent harm if a judge approves it. The description of the approved application can be viewed publicly at, as is customary in the US judicial system.

According to Sekoia, a total of ten states have now deactivated the malware using appropriate legal norms. The authorities of 34 countries have been provided with data on the affectedness and possible clean-up options via Europol, including German authorities. heise security asked about the current status. After all, there is a fairly simple, unproblematic solution that could demonstrably be used to clean many systems.

German authorities have – concerns

But the BKA waved it off: The French solution "could not be implemented by the BKA, in particular due to the lack of police emergency response powers at federal level in the area of cybercrime." However, the Wiesbaden authority had already taken more courageous action in another case: in the case of the Emotet malware. At that time, the authority even dared to use its own cleaning software on the infected devices and, according to many experts, at least pushed the legal boundaries. Nevertheless, in retrospect, the operation is generally regarded as a success against organized cybercrime. Why the much less critical deactivation function was not even used was not explained to us. If the BKA were to intervene here again, a key argument for an alleged legal loophole would no longer apply – Perhaps it is ultimately all about politics and not primarily about IT security?

In addition, such malware clean-up can already be carried out by force via telecommunications providers in accordance with Section 7(c) of the BSI Act ("technical commands to clean up a specifically named malicious program on affected information technology systems"). However, this is only possible under strict conditions, for example if critical infrastructures, providers of digital services or the communications technology of the federal government are threatened. Only in these cases may the Federal Office for Information Security (BSI), following consultation with the Federal Network Agency and the Federal Data Protection Commissioner, also "forcibly cleanse" customer systems – and even then only if it is economically and technically reasonable for the ISPs.

However, this does not seem appropriate to the BSI. In response to our inquiry, it stated that the authority has been reporting Plug-X infections since the end of January 2024, including data from Sekoia since May 2024. The information about the infection is first sent to the responsible internet provider, who would then have to inform their customers. Experience has shown that this procedure only leads to very low clean-up rates, as the BSI is of course aware. However, the Bonn-based IT security authority reports that the number of people affected in Germany in January 2025 is "very low". Other threats are obviously considered more urgent at the moment.

(vbr)